Bug 2272210 (CVE-2024-3094)

Summary:	CVE-2024-3094 xz: malicious code in distributed source
Product:	[Other] Security Response	Reporter:	Zack Miele <zmiele>
Component:	vulnerability	Assignee:	Product Security <prodsec-ir-bot>
Status:	NEW ---	QA Contact:
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	unspecified	CC:	adudiak, asoldano, bbaranow, bdettelb, bdm, bmaxwell, brian.stansberry, caswilli, cdewolf, chazlett, darran.lofthouse, dfreiber, dkreling, dosoudil, drow, fjansen, fjuma, gabravier, germano.massullo, hkataria, ivassile, iweiss, jburrell, jmitchel, jsherril, jtanner, kaycoth, klaas, kshier, lgao, luizcosta, luke, mosmerov, msochure, mstefank, msvehla, nwallace, nweather, oezr, piotr.zygielo, pjindal, pmackay, rstancel, security-response-team, sidakwo, smaestri, stcannon, thomas, tom.jenkinson, vkumar, yguenane
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:	Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2272206

Description Zack Miele 2024-03-29 15:56:47 UTC

Malicious code discovered in the tarballs distributed from upstream sources beginning in 5.6.0.